Hello Stephan On 05/03/2017 05:25 PM, Stephan Bergmann wrote: > [following instructions at > <https://www.kernel.org/doc/man-pages/patches.html>:] > > While toying around with the userns_child_exec example program on the > user_namespaces(7) man page, I noticed two things: > > * In the EXAMPLE section, we need to mount the new /proc before looking > at /proc/$$/status, otherwise the latter will print information about > the outer namespace's PID 1 (i.e., the real init). So the two > paragraphs need to be swapped. > > * In the program source, make sure to close pipe_fd[0] in the child > before exec'ing. > > The below patch is against current git master > (0708cba1d9072df6666ae2df949c24fbb87e3c11): Thanks for the patch! Unfortunately, it was broken (quoted), so I applied the changed manually. Cheers, Michael >> diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 >> index a7a8924..2abfbe5 100644 >> --- a/man7/user_namespaces.7 >> +++ b/man7/user_namespaces.7 >> @@ -971,21 +971,6 @@ bash$ \fBecho $$\fP >> .fi >> .in >> >> -Inside the user namespace, the shell has user and group ID 0, >> -and a full set of permitted and effective capabilities: >> - >> -.in +4n >> -.nf >> -bash$ \fBcat /proc/$$/status | egrep '^[UG]id'\fP >> -Uid: 0 0 0 0 >> -Gid: 0 0 0 0 >> -bash$ \fBcat /proc/$$/status | egrep '^Cap(Prm|Inh|Eff)'\fP >> -CapInh: 0000000000000000 >> -CapPrm: 0000001fffffffff >> -CapEff: 0000001fffffffff >> -.fi >> -.in >> - >> Mounting a new >> .I /proc >> filesystem and listing all of the processes visible >> @@ -1001,6 +986,21 @@ bash$ \fBps ax\fP >> 22 pts/3 R+ 0:00 ps ax >> .fi >> .in >> + >> +Inside the user namespace, the shell has user and group ID 0, >> +and a full set of permitted and effective capabilities: >> + >> +.in +4n >> +.nf >> +bash$ \fBcat /proc/$$/status | egrep '^[UG]id'\fP >> +Uid: 0 0 0 0 >> +Gid: 0 0 0 0 >> +bash$ \fBcat /proc/$$/status | egrep '^Cap(Prm|Inh|Eff)'\fP >> +CapInh: 0000000000000000 >> +CapPrm: 0000001fffffffff >> +CapEff: 0000001fffffffff >> +.fi >> +.in >> .SS Program source >> \& >> .nf >> @@ -1177,6 +1177,7 @@ childFunc(void *arg) >> "Failure in child: read from pipe returned != 0\\n"); >> exit(EXIT_FAILURE); >> } >> + close(args\->pipe_fd[0]); >> >> /* Execute a shell command */ >> > -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/ -- To unsubscribe from this list: send the line "unsubscribe linux-man" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
